Classifying malware as images. WeChat surveillance. Examining Maze operations.

May 12, 2020

At a glance.

  • Classifying malware by representing code as images.
  • WeChat monitors international users to build up censorship database.
  • More OceanLotus-linked malicious Android apps identified.
  • A look at Maze operations over the past year.

Classifying malware by representing code as images.

Researchers at Microsoft and Intel teamed up to study new ways of classifying malware using deep-learning techniques, specifically by converting malware binaries into images and training "a very deep neural network to extract the deep-represented features." The researchers call this technique "STAMINA" (Static Malware-as-Image Network Analysis).

To convert a malware binary into an image, the researchers mapped each byte to a value between 0 and 255, which corresponds to pixel intensity. After this, "[e]ach pixel stream was then transformed into a two-dimensional image by using the file size to determine the width and height of the image." Next, they modified a previously existing neural network to adapt it for malware classification, then retrained and tested it on "a dataset of 2.2 million PE file hashes provided by Microsoft." They found that this technique could identify the malware binaries with 99.07% accuracy, with a 2.58% false-positive rate.

This method isn't always superior to classification methods based on metadata. Microsoft explains that "STAMINA can go in-depth into samples and extract additional signals that might not be captured in the metadata. However, for bigger size applications, STAMINA becomes less effective due to limitations in converting billions of pixels into JPEG images and then resizing them. In such cases, metadata-based methods show advantages over our research."

WeChat monitors international users to build up censorship database.

The University of Toronto's Citizen Lab determined that WeChat monitors and analyzes communications between accounts not registered in China in order to "invisibly train and build up" its censorship database for domestic users. It was previously known that WeChat monitored China-based conversations for politically sensitive content, but it wasn't known that such surveillance extended to accounts registered internationally (and the company's privacy policy makes no mention of this).

The researchers explain that WeChat maintains a database of MD5 hashes to instantly censor politically sensitive content for users in China, and it analyzes all files whose hashes aren't in the database to determine if they should be censored. If a new file is deemed sensitive, its hash is added to the database. Importantly, the hash-based censorship occurs in real time, so the China-registered account never receives the sensitive file. The content analysis process takes some time, however, so a China-registered account will be able to receive a sensitive file the first time it's transmitted over WeChat.

Citizen Lab conducted two experiments to test whether WeChat monitors communications between internationally registered accounts. In the first experiment, the researchers set up a WeChat group containing accounts not registered in China. Within this group, they sent slightly modified versions of images and documents that had been deemed sensitive in the past. These files still appeared the same as the originals, but they would have different MD5 hashes. Next, they sent the same files to another group containing a China-registered account and found that the files were censored instantly for that account, suggesting that the files' MD5 hashes were already present in WeChat's database.

In the second experiment, the researchers took advantage of flaws in the MD5 algorithm to show that WeChat wasn't somehow censoring the images using some other technique. MD5 hashes are vulnerable to collisions, meaning that two different files can output the same hash under certain circumstances. It's easy to craft files that will result in collisions, so Citizen Lab generated twenty new, sensitive images that would output the same hashes as twenty non-sensitive images. This time, none of the sensitive images were sent to the China-registered accounts. These images were sent between the non-China accounts, and then the non-sensitive images (with the matching hashes) were sent to China-registered accounts. In every case, the non-sensitive images were censored for the accounts registered in China.

WeChat doesn't appear to censor content for non-China-registered accounts, but it does seem that it monitors messages sent by these accounts to supplement its censorship capabilities for accounts registered domestically.

More OceanLotus-linked malicious Android apps identified.

Researchers at Bitdefender offer their own findings related to a long-running mobile malware campaign described by Kaspersky last month and by BlackBerry Cylance in October 2019. The campaign has been tied to the Vietnam-aligned threat actor OceanLotus (APT32), and it involved uploading benign applications to the Google Play Store and various third-party marketplaces, then updating those applications with information-stealing capabilities.

Bitdefender identified thirty-five additional malware samples, as well as evidence suggesting "the campaign may have used a legitimate and potentially stolen digital certificate to sign some samples." The researchers also found that the campaign began eight months earlier than previously thought, with the first malicious sample being uploaded to Google Play in April 2014.

The researchers also point out that third-party marketplaces that mirror the Google Play store aren't as responsive as Google at updating their offerings, so many of the malicious apps that were removed from Google Play are still available in these marketplaces.

A look at Maze operations over the past year.

FireEye and Sophos separately published reports examining Maze ransomware operations. Maze was one of the first ransomware families to use data confidentiality as leverage in their attacks by exfiltrating victims' data before encrypting them in place, and then threatening to release the stolen data if the victim doesn't pay the ransom.

FireEye says the malware is distributed by its developers under an affiliate model, with multiple Maze groups displaying distinct TTPs. These groups partner with other criminal hackers who specialize in certain areas, including initial compromise as well as "reconnaissance, privilege escalation and lateral movement." As a result, the researchers "anticipate that the TTPs used throughout incidents associated with this ransomware will continue to vary somewhat, particularly in terms of the initial intrusion vector."

Other actors are paid (sometimes on salary as opposed to commission) to scout potential targets and determine their revenues in order to set a ransom within their pay range. FireEye says this model "allows for specialization within the cyber criminal ecosystem, ultimately increasing efficiency, while still allowing all parties involved to profit."

Increasingly, Maze is deployed manually in targeted attacks rather than being distributed via spam campaigns. These are the attacks that involve data exfiltration. Interestingly, in some instances the operators demand an additional fee for keeping the data private. The operators use a panel to manage their ransom demands, and this panel includes "an option to specify the date on which ransom demands will double."

Sophos's report examines the ways in which Maze has built and maintained its brand since it began making headlines last year. The researchers note that, while Maze wasn't the first ransomware family to use data theft as an extortion technique, its operators have actively worked to make "public exposure central to their 'brand' identity, and actively seeks attention from press and researchers to promote their brand—and make it easy for victims who might hesitate to pay them to find out their reputation."

View Original Article Source